Server : Apache System : Linux server2.corals.io 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Mon Nov 15 09:17:08 EST 2021 x86_64 User : corals ( 1002) PHP Version : 7.4.33 Disable Function : exec,passthru,shell_exec,system Directory : /home/corals/old/vendor/magento/module-securitytxt/ |
# Security.txt
### Summary
> When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.
Source: https://tools.ietf.org/html/draft-foudil-securitytxt-09
The Magento_Securitytxt module provides the following functionality:
* allows to save the security configurations in the admin panel
* contains a router to match application action class for requests to the `.well-known/security.txt` and `.well-known/security.txt.sig` files.
* serves the content of the `.well-known/security.txt` and `.well-known/security.txt.sig` files.
A valid security.txt file could look like the following example:
```
Contact: mailto:[email protected]
Contact: tel:+1-201-555-0123
Encryption: https://example.com/pgp.asc
Acknowledgement: https://example.com/security/hall-of-fame
Policy: https://example.com/security-policy.html
Signature: https://example.com/.well-known/security.txt.sig
```
Security.txt can be accessed at below location:
`https://example.com/.well-known/security.txt`
To create security.txt signature (security.txt.sig) file:
`gpg -u KEYID --output security.txt.sig --armor --detach-sig security.txt`
To verify the security.txt file's signature:
`gpg --verify security.txt.sig security.txt`